r67396 - in /branches/lenny/libcgi-simple-perl: debian/changelog lib/CGI/Simple.pm t/050.simple.t t/070.standard.t t/headers.t

ntyni at users.alioth.debian.org ntyni at users.alioth.debian.org
Fri Jan 14 20:31:08 UTC 2011


Author: ntyni
Date: Fri Jan 14 20:30:51 2011
New Revision: 67396

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=67396
Log:
[SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
backport fixes for MIME boundary and multiline header vulnerabilities
(Closes: #606379)

Added:
    branches/lenny/libcgi-simple-perl/t/headers.t
Modified:
    branches/lenny/libcgi-simple-perl/debian/changelog
    branches/lenny/libcgi-simple-perl/lib/CGI/Simple.pm
    branches/lenny/libcgi-simple-perl/t/050.simple.t
    branches/lenny/libcgi-simple-perl/t/070.standard.t

Modified: branches/lenny/libcgi-simple-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libcgi-simple-perl/debian/changelog?rev=67396&op=diff
==============================================================================
--- branches/lenny/libcgi-simple-perl/debian/changelog (original)
+++ branches/lenny/libcgi-simple-perl/debian/changelog Fri Jan 14 20:30:51 2011
@@ -1,3 +1,11 @@
+libcgi-simple-perl (1.105-1lenny1) UNRELEASED; urgency=low
+
+  * [SECURITY] CVE-2010-2761 CVE-2010-4410 CVE-2010-4411:
+    backport fixes for MIME boundary and multiline header vulnerabilities
+    (Closes: #606379)
+
+ -- Niko Tyni <ntyni at debian.org>  Fri, 14 Jan 2011 22:29:56 +0200
+
 libcgi-simple-perl (1.105-1) unstable; urgency=low
 
   * New upstream release.

Modified: branches/lenny/libcgi-simple-perl/lib/CGI/Simple.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libcgi-simple-perl/lib/CGI/Simple.pm?rev=67396&op=diff
==============================================================================
--- branches/lenny/libcgi-simple-perl/lib/CGI/Simple.pm (original)
+++ branches/lenny/libcgi-simple-perl/lib/CGI/Simple.pm Fri Jan 14 20:30:51 2011
@@ -948,6 +948,31 @@
         ],
         @params
       );
+
+  my $CRLF = $self->crlf;
+
+  # CR escaping for values, per RFC 822
+  for my $header (
+    $type, $status,  $cookie,     $target, $expires,
+    $nph,  $charset, $attachment, $p3p,    @other
+   ) {
+    if ( defined $header ) {
+      # From RFC 822:
+      # Unfolding  is  accomplished  by regarding   CRLF   immediately
+      # followed  by  a  LWSP-char  as equivalent to the LWSP-char.
+      $header =~ s/$CRLF(\s)/$1/g;
+
+      # All other uses of newlines are invalid input.
+      if ($header =~ m/$CRLF|\015|\012/) {
+        # shorten very long values in the diagnostic
+        $header = substr( $header, 0, 72 ) . '...'
+         if ( length $header > 72 );
+        die
+         "Invalid header value contains a newline not followed by whitespace: $header";
+      }
+    }
+  }
+
     $nph ||= $self->{'.globals'}->{'NPH'};
     $charset = $self->charset( $charset )
       ;    # get charset (and set new charset if supplied)
@@ -1002,7 +1027,6 @@
       if $attachment;
     push @header, @other;
     push @header, "Content-Type: $type" if $type;
-    my $CRLF = $self->crlf;
     my $header = join $CRLF, @header;
     $header .= $CRLF . $CRLF;    # add the statutory two CRLFs
 
@@ -1064,7 +1088,14 @@
     my ( $self, @p ) = @_;
     use CGI::Simple::Util qw(rearrange);
     my ( $boundary, @other ) = rearrange( ['BOUNDARY'], @p );
-    $boundary = $boundary || '------- =_aaaaaaaaaa0';
+  if ( !$boundary ) {
+    $boundary = '------- =_';
+    my @chrs = ( '0' .. '9', 'A' .. 'Z', 'a' .. 'z' );
+    for ( 1 .. 17 ) {
+      $boundary .= $chrs[ rand( scalar @chrs ) ];
+    }
+  }
+
     my $CRLF = $self->crlf;    # get CRLF sequence
     my $warning
       = "WARNING: YOUR BROWSER DOESN'T SUPPORT THIS SERVER-PUSH TECHNOLOGY.";

Modified: branches/lenny/libcgi-simple-perl/t/050.simple.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libcgi-simple-perl/t/050.simple.t?rev=67396&op=diff
==============================================================================
--- branches/lenny/libcgi-simple-perl/t/050.simple.t (original)
+++ branches/lenny/libcgi-simple-perl/t/050.simple.t Fri Jan 14 20:30:51 2011
@@ -1,4 +1,4 @@
-use Test::More tests => 331;
+use Test::More tests => 332;
 use Carp;
 use strict;
 use warnings;
@@ -973,12 +973,20 @@
 $sv = $q->multipart_init();
 like(
     $sv,
-    qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_aaaaaaaaaa0"|,
+    qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_[a-zA-Z0-9]{17}"|,
     'multipart_init(), 1'
 );
-like($sv, qr/--------- =_aaaaaaaaaa0$CRLF/, 'multipart_init(), 2');
+like($sv, qr/--------- =_[a-zA-Z0-9]{17}$CRLF/,
+  'multipart_init(), 2' );
 $sv = $q->multipart_init('this_is_the_boundary');
 like($sv, qr/boundary="this_is_the_boundary"/, 'multipart_init(), 3');
+{
+  my $sv1 = $q->multipart_init;
+  my $sv2 = $q->multipart_init;
+  isnt( $sv1, $sv2,
+    "due to random boundaries, multiple calls produce different results"
+  );
+}
 $sv = $q->multipart_init(-boundary => 'this_is_another_boundary');
 like(
     $sv,

Modified: branches/lenny/libcgi-simple-perl/t/070.standard.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libcgi-simple-perl/t/070.standard.t?rev=67396&op=diff
==============================================================================
--- branches/lenny/libcgi-simple-perl/t/070.standard.t (original)
+++ branches/lenny/libcgi-simple-perl/t/070.standard.t Fri Jan 14 20:30:51 2011
@@ -1,4 +1,4 @@
-use Test::More tests => 301;
+use Test::More tests => 302;
 use Carp;
 use strict;
 use warnings;
@@ -984,12 +984,20 @@
 $sv = multipart_init();
 like(
     $sv,
-    qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_aaaaaaaaaa0"|,
+    qr|Content-Type: multipart/x-mixed-replace;boundary="------- =_[a-zA-Z0-9]{17}"|,
     'multipart_init(), 1'
 );
-like($sv, qr/--------- =_aaaaaaaaaa0$CRLF/, 'multipart_init(), 2');
+like($sv, qr/--------- =_[a-zA-Z0-9]{17}$CRLF/,
+  'multipart_init(), 2' );
 $sv = multipart_init('this_is_the_boundary');
 like($sv, qr/boundary="this_is_the_boundary"/, 'multipart_init(), 3');
+{
+  my $sv1 = multipart_init();
+  my $sv2 = multipart_init();
+  isnt( $sv1, $sv2,
+    "due to random boundaries, multiple calls produce different results"
+  );
+}
 $sv = multipart_init(-boundary => 'this_is_another_boundary');
 like(
     $sv,

Added: branches/lenny/libcgi-simple-perl/t/headers.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/lenny/libcgi-simple-perl/t/headers.t?rev=67396&op=file
==============================================================================
--- branches/lenny/libcgi-simple-perl/t/headers.t (added)
+++ branches/lenny/libcgi-simple-perl/t/headers.t Fri Jan 14 20:30:51 2011
@@ -1,0 +1,84 @@
+
+# Test that header generation is spec compliant.
+# References:
+#   http://www.w3.org/Protocols/rfc2616/rfc2616.html
+#   http://www.w3.org/Protocols/rfc822/3_Lexical.html
+
+use strict;
+use warnings;
+
+use Test::More 'no_plan';
+
+use CGI::Simple;
+
+my $cgi = CGI::Simple->new;
+
+like $cgi->header( -type => "text/html" ),
+ qr#Type: text/html#, 'known header, basic case: type => "text/html"';
+
+eval {
+  like $cgi->header(
+    -type => "text/html" . $cgi->crlf . "evil: stuff" ),
+   qr#Type: text/html evil: stuff#, 'known header';
+};
+like( $@, qr/contains a newline/, 'invalid header blows up' );
+
+like $cgi->header(
+  -type => "text/html" . $cgi->crlf . " evil: stuff " ),
+ qr#Content-Type: text/html evil: stuff#,
+ 'known header, with leading and trailing whitespace on the continuation line';
+
+eval {
+  like $cgi->header(
+    -foobar => "text/html" . $cgi->crlf . "evil: stuff" ),
+   qr#Foobar: text/htmlevil: stuff#, 'unknown header';
+};
+like(
+  $@,
+  qr/contains a newline/,
+  'unknown header with CRLF embedded blows up'
+);
+
+like $cgi->header( -foobar => "Content-type: evil/header" ),
+ qr#^Foobar: Content-type: evil/header#m,
+ 'unknown header with leading newlines';
+
+eval {
+  like $cgi->redirect(
+    -type => "text/html" . $cgi->crlf . "evil: stuff" ),
+   qr#Type: text/htmlevil: stuff#, 'redirect w/ known header';
+};
+like(
+  $@,
+  qr/contains a newline/,
+  'redirect with known header with CRLF embedded blows up'
+);
+
+eval {
+  like $cgi->redirect(
+    -foobar => "text/html" . $cgi->crlf . "evil: stuff" ),
+   qr#Foobar: text/htmlevil: stuff#, 'redirect w/ unknown header';
+};
+like(
+  $@,
+  qr/contains a newline/,
+  'redirect with unknown header with CRLF embedded blows up'
+);
+
+eval {
+  like $cgi->redirect(
+    $cgi->crlf . $cgi->crlf . "Content-Type: text/html" ),
+   qr#Location: Content-Type#, 'redirect w/ leading newline ';
+};
+like(
+  $@,
+  qr/contains a newline/,
+  'redirect with leading newlines blows up'
+);
+
+{
+    my $cgi = CGI::Simple->new('t=bogus%0A%0A<html>');
+    my $out;
+    eval { $out = $cgi->redirect( $cgi->param('t') ) };
+    like($@,qr/contains a newline/, "redirect does not allow double-newline injection");
+}




More information about the Pkg-perl-cvs-commits mailing list